Content protection

Hello everyone!
Currently:
Link for an every peertube asset, ether video or Live stream, can be copied and played outside of the origin instance using any hls-capable player.
It introduces a few issues:

1. content can’t be properly limited to « internal » or authenticated users
2. extra load (which will bypass p2p) to the origin will be created in case of origin URL placed into another internet resouce

Expected:
To have a stream-key for each « view » user session, like Live stream-key used currently for a stream publishing.

1. One stream « play » event user gets unique « view-session » is attached to the url as query and associated with the user
2. Nginx allows requests for .ts files only with the « ?session=ZMi1HCOyjbYvr1PSYpb6Ow&t=1624883520 », where session is the nginx’s secure_link calculated using user’s auth token+content_id and t is the unix time session is valid (say it’s 3mins)
3. Every « watching » PUT request should update the session by issuing the new session and extend t (session validity time)

Peertube is designed for being open.
It can use federation and redundancy. Your proposal seems contrary to the spirit of Peertube.

On the other hand, it also has privacy settings: internal, private and unlisted and one can’t provide those without the proposal implementation.
Also the peertube has tokens which do a great job for listing and accessing categories, etc.
From my point of view – missing Authorization token for ts/m3u8 requests is the main issue to achieve this.